Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add nonfile fragments #38

Merged
merged 7 commits into from
Nov 7, 2013
Merged

Add nonfile fragments #38

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
1c849aa
Add option to enable default pam config for VAS
Oct 30, 2013
14e8bbe
Fix rake test
Oct 31, 2013
ee1b200
Add ability to specify an array to pam::limits::fragment
ghoneycutt Nov 6, 2013
2c10552
Automatically include limits fragments via create_resources()
ghoneycutt Nov 6, 2013
784f739
Merge remote-tracking branch 'jwennerberg/ensure_vas' into add_nonfil…
ghoneycutt Nov 6, 2013
f0ddb84
fix typo in define name
ghoneycutt Nov 6, 2013
3b291a9
Add example of hiera usage to README
ghoneycutt Nov 6, 2013
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,4 @@ doc/
metadata.json
coverage/
spec/fixtures/modules/*
Gemfile.lock
42 changes: 41 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,12 @@ Array of users allowed to log in.

- *Default*: root

limits_fragments
----------------
Hash of fragments to pass to pam::limits::fragments

- *Default*: undef

package_name
------------
Array of packages providing the pam functionality. If undef, parameter is set based on the OS version.
Expand Down Expand Up @@ -295,12 +301,17 @@ Path to limits.d directory
Places a fragment in $limits_d_dir directory

## Parameters for `pam::limits::fragment`
Source or list **must** be set.

source
------
String - Path to the fragment file, such as 'puppet:///modules/pam/limits.nproc'

- *Required*
- *Default*: 'UNSET'

list
----
Array of lines to add to the fragment file

===

Expand All @@ -327,3 +338,32 @@ content
-------
Content of the PAM file for the service

===

# Hiera example for limits_fragments
<pre>
pam::limits_fragments:
custom:
list:
- '* soft nofile 2048'
- '* hard nofile 8192'
- '* soft as 3145728'
- '* hard as 4194304'
- '* hard maxlogins 300'
- '* soft cpu 720'
- '* hard cpu 1440'
</pre>

This would create /etc/security/limits.d/custom.conf with content
<pre>
# This file is being maintained by Puppet.
# DO NOT EDIT
* soft nofile 2048
* hard nofile 8192
* soft as 3145728
* hard as 4194304
* hard maxlogins 300
* soft cpu 720
* hard cpu 1440
</pre>

164 changes: 129 additions & 35 deletions manifests/init.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,11 @@
#
class pam (
$allowed_users = 'root',
$ensure_vas = 'absent',
$package_name = undef,
$pam_conf_file = '/etc/pam.conf',
$services = undef,
$limits_fragments = undef,
$pam_d_login_oracle_options = 'UNSET',
$pam_d_login_path = '/etc/pam.d/login',
$pam_d_login_owner = 'root',
Expand Down Expand Up @@ -38,6 +40,7 @@
$system_auth_ac_account_lines = undef,
$system_auth_ac_password_lines = undef,
$system_auth_ac_session_lines = undef,
$vas_major_version = '4',
) {

include nsswitch
Expand All @@ -51,48 +54,135 @@
$default_package_name = [ 'pam',
'util-linux' ]

$default_pam_auth_lines = [ 'auth required pam_env.so',
'auth sufficient pam_unix.so nullok try_first_pass',
'auth requisite pam_succeed_if.so uid >= 500 quiet',
'auth required pam_deny.so']

$default_pam_account_lines = [ 'account required pam_unix.so',
'account sufficient pam_succeed_if.so uid < 500 quiet',
'account required pam_permit.so']

$default_pam_password_lines = [ 'password requisite pam_cracklib.so try_first_pass retry=3',
'password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok',
'password required pam_deny.so']
if $ensure_vas == 'present' {
case $vas_major_version {
'3': {
$default_pam_auth_lines = [ 'auth required pam_env.so',
'auth sufficient pam_vas3.so show_lockout_msg get_nonvas_pass store_creds',
'auth requisite pam_vas3.so echo_return',
'auth sufficient pam_unix.so nullok try_first_pass use_first_pass',
'auth requisite pam_succeed_if.so uid >= 500 quiet',
'auth required pam_deny.so']
}
'4': {
$default_pam_auth_lines = [ 'auth required pam_env.so',
'auth sufficient pam_vas3.so show_lockout_msg get_nonvas_pass',
'auth requisite pam_vas3.so echo_return',
'auth sufficient pam_unix.so nullok try_first_pass use_first_pass',
'auth requisite pam_succeed_if.so uid >= 500 quiet',
'auth required pam_deny.so']
}
default: {
fail("Pam is only supported with vas_major_version 3 or 4. Your vas_major_version is <${vas_major_version}>.")
}
}

$default_pam_session_lines = [ 'session optional pam_keyinit.so revoke',
'session required pam_limits.so',
'session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid',
'session required pam_unix.so']
$default_pam_account_lines = [ 'account sufficient pam_vas3.so',
'account requisite pam_vas3.so echo_return',
'account required pam_unix.so',
'account sufficient pam_succeed_if.so uid < 500 quiet',
'account required pam_permit.so']

$default_pam_password_lines = [ 'password sufficient pam_vas3.so',
'password requisite pam_vas3.so echo_return',
'password requisite pam_cracklib.so try_first_pass retry=3 type=',
'password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok',
'password required pam_deny.so']

$default_pam_session_lines = [ 'session optional pam_keyinit.so revoke',
'session required pam_limits.so',
'session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid',
'session required pam_vas3.so show_lockout_msg',
'session requisite pam_vas3.so echo_return',
'session required pam_unix.so']
} else {
$default_pam_auth_lines = [ 'auth required pam_env.so',
'auth sufficient pam_unix.so nullok try_first_pass',
'auth requisite pam_succeed_if.so uid >= 500 quiet',
'auth required pam_deny.so']

$default_pam_account_lines = [ 'account required pam_unix.so',
'account sufficient pam_succeed_if.so uid < 500 quiet',
'account required pam_permit.so']

$default_pam_password_lines = [ 'password requisite pam_cracklib.so try_first_pass retry=3',
'password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok',
'password required pam_deny.so']

$default_pam_session_lines = [ 'session optional pam_keyinit.so revoke',
'session required pam_limits.so',
'session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid',
'session required pam_unix.so']
}
}
'6': {
$default_pam_d_login_template = 'pam/login.el6.erb'
$default_pam_d_sshd_template = 'pam/sshd.el6.erb'
$default_package_name = 'pam'

$default_pam_auth_lines = [ 'auth required pam_env.so',
'auth sufficient pam_fprintd.so',
'auth sufficient pam_unix.so nullok try_first_pass',
'auth requisite pam_succeed_if.so uid >= 500 quiet',
'auth required pam_deny.so']

$default_pam_account_lines = [ 'account required pam_unix.so',
'account sufficient pam_localuser.so',
'account sufficient pam_succeed_if.so uid < 500 quiet',
'account required pam_permit.so']

$default_pam_password_lines = [ 'password requisite pam_cracklib.so try_first_pass retry=3 type=',
'password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok',
'password required pam_deny.so']

$default_pam_session_lines = [ 'session optional pam_keyinit.so revoke',
'session required pam_limits.so',
'session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid',
'session required pam_unix.so']
if $ensure_vas == 'present' {
case $vas_major_version {
'3': {
$default_pam_auth_lines = [ 'auth required pam_env.so',
'auth sufficient pam_vas3.so show_lockout_msg get_nonvas_pass store_creds',
'auth requisite pam_vas3.so echo_return',
'auth sufficient pam_unix.so nullok try_first_pass use_first_pass',
'auth requisite pam_succeed_if.so uid >= 500 quiet',
'auth required pam_deny.so']
}
'4': {
$default_pam_auth_lines = [ 'auth required pam_env.so',
'auth sufficient pam_vas3.so show_lockout_msg get_nonvas_pass',
'auth requisite pam_vas3.so echo_return',
'auth sufficient pam_unix.so nullok try_first_pass use_first_pass',
'auth requisite pam_succeed_if.so uid >= 500 quiet',
'auth required pam_deny.so']
}
default: {
fail("Pam is only supported with vas_major_version 3 or 4. Your vas_major_version is <${vas_major_version}>.")
}
}

$default_pam_account_lines = [ 'account sufficient pam_vas3.so',
'account requisite pam_vas3.so echo_return',
'account required pam_unix.so',
'account sufficient pam_localuser.so',
'account sufficient pam_succeed_if.so uid < 500 quiet',
'account required pam_permit.so']

$default_pam_password_lines = [ 'password sufficient pam_vas3.so',
'password requisite pam_vas3.so echo_return',
'password requisite pam_cracklib.so try_first_pass retry=3 type=',
'password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok',
'password required pam_deny.so']

$default_pam_session_lines = [ 'session optional pam_keyinit.so revoke',
'session required pam_limits.so',
'session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid',
'session required pam_vas3.so show_lockout_msg',
'session requisite pam_vas3.so echo_return',
'session required pam_unix.so']
} else {
$default_pam_auth_lines = [ 'auth required pam_env.so',
'auth sufficient pam_fprintd.so',
'auth sufficient pam_unix.so nullok try_first_pass',
'auth requisite pam_succeed_if.so uid >= 500 quiet',
'auth required pam_deny.so']

$default_pam_account_lines = [ 'account required pam_unix.so',
'account sufficient pam_localuser.so',
'account sufficient pam_succeed_if.so uid < 500 quiet',
'account required pam_permit.so']

$default_pam_password_lines = [ 'password requisite pam_cracklib.so try_first_pass retry=3 type=',
'password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok',
'password required pam_deny.so']

$default_pam_session_lines = [ 'session optional pam_keyinit.so revoke',
'session required pam_limits.so',
'session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid',
'session required pam_unix.so']
}
}
default: {
fail("Pam is only supported on EL 5 and 6. Your lsbmajdistrelease is identified as <${::lsbmajdistrelease}>.")
Expand Down Expand Up @@ -316,6 +406,10 @@
create_resources('pam::service',$services)
}

if $limits_fragments != undef {
create_resources('pam::limits::fragment',$limits_fragments)
}

case $::osfamily {
'redhat', 'suse', 'debian': {

Expand Down
26 changes: 24 additions & 2 deletions manifests/limits/fragment.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,37 @@
# Places a fragment in $limits_d_dir directory
#
define pam::limits::fragment (
$source,
$source = 'UNSET',
$list = undef,
) {

include pam
include pam::limits

# must specify source or list
if $source == 'UNSET' and $list == undef {
fail('pam::limits::fragment must specify source or list.')
}

# list takes priority if you specify both
if $list == undef {
$source_real = $source
} else {
$source_real = undef
}

# use the template if a list is provided
if $list == undef {
$content = undef
} else {
validate_array($list)
$content = template('pam/limits_fragment.erb')
}

file { "${pam::limits::limits_d_dir}/${name}.conf":
ensure => file,
source => $source,
source => $source_real,
content => $content,
owner => 'root',
group => 'root',
mode => '0644',
Expand Down
Loading